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~ ThB MAILING DATE of this communication appears on the cover sheet with the correspondence address -- 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )M Responsive to communication(s) f\\ed on 17 August 2000 , 
2a)n This action is FINAL. 2b)M This action is non-final. 

3) n Since this application is in condition for allowance except for fonriai nnatters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 7-34 is/are pending in the application. 

4a) Of the above clainn(s) is/are withdrawn from consideration. 

5) 0 Claim(s) is/are allowed. 

6) M Claim(s) 1-34 is/are rejected. 

7) IEI Claim(s) 27 is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) n The specification is objected to by the Examiner. 

100 The drawing(s) filed on is/are: aO accepted or b)n objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

11) 13 The oath or declaration is objected to by the Examiner. Note the attached Office Action orforni PTO-152. 

Priority under 35 U.S.C. § 119 

12) 0 Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)n All b)n Some * 0)0 None of: 

1 .□ Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17,2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 



Claims 1-34 have been examined and are pending. 



Information Disclosure Statement 

An initialed and dated copy of Applicant's IDS form 1449, Paper No. 2, is 
attached to the instant Office action. 



Oath/Declaration 

The oath or declaration is defective. A new oath or declaration in 
compliance with 37 CFR 1.67(a) identifying this application by application 
number and filing date is required. See MPEP §§ 602.01 and 602.02. 

The oath or declaration is defective because: 

Not all of the listed inventors have signed the oath. 



Priority 

Applicants claim for domestic priority under 35 U.S.C. 1 1 9(e) is 
acknowledged. . 
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Claim Rejections - 35 (JSC ' 112, second paragraph 

Claims 16 and 20 are rejected under 35 U.S.C. 112, second paragraph, as 
being indefinite for failing to particularly point out and distinctly claim the subject 
matter which applicant regards as the invention. Claim 16 recites the limitation 
"the severity level". There is insufficient antecedent basis for this limitation in the 
claim. Claim 20 recites the limitation "the report servlets". There is insufficient 
antecedent basis for this limitation in the claim. Clarification and/or correction are 
required. 

Claim Objections 

Claim 20' is objected to because of the following informalities: misspelling 
"receving". Appropriate correction is required. 



Claim Rejections - 35 (JSC ' 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 
that form the basis for the rejections under this section made in this Office 
action: 

A person shall be entitled to a patent unless 

(e) the invention was described in a patent granted on an application for 
patent by another filed in the United States before the invention thereof by the 
applicant for patent, or on an international application by another who has 
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fulfilled the requirements of paragraphs (1 ), (2), and (4) of section 371(c) of 
this title before the invention thereof by the applicant for patent. 

Clainns 1-10, 12-15, 17-22, 25-31, 33 and 34 are rejected under 35 
U.S.C. 102(e) as being anticipated by Orchieret al, herein Orchier, (USP 
6,070,244). 



As per claim 1 , Orchier teaches an event parser in communication with at 
least one network service device, the event parser being able to receive log data 
in real time from the device, the log data including information detailing a network 
intrusion event received from the network service device if an intrusion has 
occurred, the event parser being able to parse the information to create a 
corresponding event object concerning the intrusion event (column 4, lines 5-10); 

an event manager in communication with the event parser, the event 
manager being able to receive the event object, the event manager being 
configured to evaluate the event object according to at least one predetermined 
threshold condition such that, when the event object satisfies the predetermined 
threshold condition, the event manager designates the event object to be 
broadcast in real time (column 4, lines 10-21); 

an event broadcaster in communication with the event manager for 
receiving event objects designated by the event manager for broadcast, the 
event broadcaster being able to transmit the event object in real time as an 
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intrusion alarm; and means for alerting the user that a network intrusion event 
has occurred (column 4, lines 27-30). 



As per claim 25, Orchier teaches receiving log data in real time, the log 
data including information detailing at least one network intrusion event received 
from the at least: one network service device (column 4, lines 5-10); 

parsing the log data information to create a corresponding event object 
(column 4, lines 10-21); 

evaluating the event object according to at least one predetermined 
threshold condition (column 4, lines 27-30); 

where the information contained within the event object satisfies the 
predetermined threshold condition, broadcasting the event object as an intrusion 
alarm in real time to a display screen on a graphic user interface (column 13, 
lines 10-12). 



As per claim 2, Orchier teaches alerting the user that a network intrusion 
event has occurred is a graphical user interface in communication with the event 
broadcaster, the graphical user interface comprising a display screen for 
displaying an intrusion alarm and the information contained within the 
corresponding event object received from the event broadcaster (column 13, 
lines 10-12). 



Application/Controllromber: 09/640,606 Page 6 

Art Unit: 2131 

As per claims 3 and 26, Orchier teaches means for storing event objects, 
said means coupled to the event parsers (column 5, lines 30-40); 

a report servlet coupled to the graphic user interface, the report servlet for 
recalling stored event objects in response to user queries from the graphic user 
interface and displaying recalled event objects on the graphic user interface 
display screen (column 13, lines 42-44); 

an application reporter coupled to the report servlet for receiving and 
processing user queries and for performing searches of stored event objects 
(column 13, lines 42-44); 

a database accessible by the application reporter, for holding stored event 
objects, the database configured to recall event objects in response to searches 
executed by the application reporter (column 5, lines 30-40). 



As per claim 4 and 27, Orchier teaches a network port to receive log data 
having a conforming message format from at least one network service device 
(column 4, lines 19-21); 

means for transmitting the log data having a conforming message format 
to the event parsers, said means coupled to the network port (column 4, lines 5- 
10); 

a reporting agent coupled to the network port for collecting log data having 
a nonconforming message format from the at least one network service device 
and converting the log data to a conforming message format (column 4, lines 7- 
10). 
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As per claims 5 and 28, Orchier teaches the conforming message format 
is syslog (column 13, line 50). 

As per claim 6, Orchier teaches the graphical user interface display screen 
comprises an alarm console, coupled to the event broadcaster, configured to 
display intrusion alarms, and a report console, coupled to the report servlet, 
configured to execute queries input by a user and display results, wherein the 
alarm console and event broadcaster are displayed simultaneously on the 
display screen (column 14, lines 5-10 and Fig 8b). 

As per claims 7 and 30, Orchier teaches the report console is further 
configured to display query result data in summary lines, said summary lines 
comprising hypertext links providing access to further data (column 13, lines 45- 
50 and Fig 8b, 'Note'). 

As per claims 8 and 29, Orchier teaches the alarm console displays 
intrusion alarms in summary lines, said summary lines comprising hypertext links 
providing access to further data (column 13, lines 45-50 and Fig 8b, 'Note'). 

As per claim 9, Orchier teaches the graphical user interface displays the 
status of network security devices in real time (column 2, lines 30-35). 
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As per claim 10, Orchier teaches the graphical user interface displays the 
status of network security devices in sumnnary lines, said sumnnary lines 
comprising hypertext links providing access to further data (column 13, lines 45- 
48 and Fig 8b, 'Note'). 



As per claims 12, 33, and 34, Orchier teaches comprising a chat manager 
accessible to a user from the alarm console for executing electronic 
communications links between the user and others having an electronic 
communications link to the computer system (column 13, lines 10-15 and column 
14, lines 5-10). 

As per claim 13, Orchier teaches the electronic communications link is an 
on line link established through a web browser interface (column 13, lines 35-52). 

As per claim 14, Orchier teaches a plurality of event parsers wherein each 
event parser is configured to receive log data from a predetermined network 
service device, the plurality of parsers each coupled to the event manager 
(column 4, lines 1-5). 

As per claim 15, Orchier that teaches the information contained within the 
event object is read by the event manager and assigned a severity level 
corresponding to the event type information contained within the event object. 
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and the predeternnined threshold condition is the assigned severity level (column 
13, lines 24-28 and column 13, lines 65-66). 

As per claim 17, Orchier teaches an event aggregator module and 
wherein the event parser is housed within the event aggregator module, and log 
data from a multiplicity of network device sources is received by the event parser 
(Figure 2, element 54). 

As per claim 18, Orchier teaches the event parser reads log data posted in 
extensible markup language (column 13, lines 45-55). 

As per claim 19, Orchier teaches the computer system is one of a 
multiplicity of computer systems each having a graphic user interface and the 
computer system further comprises a central graphic user interface which, 
accesses at least one of the graphic user interfaces of the multiplicity of 
computer systems (column 5, lines 19-25). 

As per claim 20, Orchier teaches the central graphic user interface 
accesses at least one of the report servlets of the multiplicity of computer 
systems and communicates with at least one of the databases of the multiplicity 
of computer systems (column 5, lines 19-25 and column 7, lines 28-50). 
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As per claim 21 , Orchier teaches filtering event objects received by the 
event manager according to one or more predetermined conditions so as to 
restrict the field of event objects designated for broadcast (column 4, lines 19-30 
and column 13, lines 32-35). 



As per claims 22 and 31 , Orchier teaches filtering log data received at the 
network port according to one or more predetermined conditions so as to restrict 
receipt of corresponding log data by said transmitting means (column 13, lines 
55-67). 



Claim Rejections - 35 USC ' 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

A patent may not be obtained though the invention is not identically 
disclosed or described as set forth in section 102 of this title, if the 
differences between the subject matter sought to be patented and the 
prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having 
ordinary skill in the art to which said subject matter pertains. 
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Patentability shall not be negatived by the manner in which the 
invention was made. 



Claim 1 1 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Orchier in view of Battat et al, herein Battat, (USP 5,958,012). 



As per claim 1 1 , Orchier does not teaches the graphical user interface 
displays the status of network security devices in a color-coded format where 
said color designates a particular status level for the particular device, Battat 
teaches displaying displays the status of network security devices in a color- 
coded format where said color designates a particular status level for the 
particular device (column 5, lines 5-7). Battat uses a color-coded status level so 
that events that need immediate attention are quickly spotted first. It would be 
advantageous to act upon the most severe threat first. 

In view of this, it would have been obvious to one of ordinary skill in the art 
at the time the invention was made to employ the teaching of Battat within the 
system of Orchier because it would allow the events to be color-coded which 
would help the administrator to differentiate between severe threats and minor 
threats. One skilled in the art would have been motivated to generate the 
claimed invention with a reasonable expectation of success. 
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Claim 16 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Orchier in view of Hill et al, herein Hill, (USP 6,088,804). 



As per clainn 16, Orchier fails to teach that the severity level is one of 
seven categories for types of events contained within event objects. Hill teaches 
categorizes types of events into more than one category (column 14, lines 26- 
29). Categorizing types of events is advantageous because it would allow the 
user to quickly identify the severity level of the problem. 

In view of this, it would have been obvious to one of ordinary skill in the art 
at the time the invention was made to employ the teaching of Hill within the 
system of Orchier because it would allow the events to be categorized, which 
would help the administrator to differentiate between severe threats and those 
threats of less importance. One skilled in the art would have been motivated to 
generate the claimed invention with a reasonable expectation of success. 



Claims 23, 24, and 32 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Orchier. 

As per claims 23, 24, and 32, Orchier teaches the predetermined 
conditions are application name, host name, and internal device alarm 
identification (column 13, lines 55-66). Orchier teaches retrieving data by various 
network domain parameters. Orchier is silent in expressly disclosing using the 
source address, destination address, destination port, and protocol. Orchier's 
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computer system without a doubt does log these types of parameters, as any 
network monitoring system would need to log, in order to adequately monitor and 
protect the entire network. Since these types of parameters are being logged, it 
would have been obvious to one of ordinary skill in the art to also use these 
parameters as conditions in which to retrieve crucial network data. In view of this 
it would have been obvious to one of ordinary skill in the art to modify the 
teachings of Orchier by also using the source address, destination address, 
destination port, and protocol to retrieve log data about an event. 



Conclusion 

Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Michael R Vaughan whose telephone number 
is 703-305-0354. The examiner can normally be reached on M-F 7:30-4:00, 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Ayaz Sheikh can be reached on 703-305-9648. The fax 
phone number for the organization where this application or proceeding is 
assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). 

MV 

Michael R Vaughan 



Examiner 
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AYAZ SHEIKH 
SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 



